im thinking a vpn is probably the way to go, now its finding the right one.
Like I was saying above, PiVPN is super easy. At least for me. and it’s free.
I would recommend running it on a separate Pi than your HA tho. So the cost would be the cost of another Pi unless you have one laying around.
they have a few links to some off site tutorials. I think I used the first one along with the guide I mentioned above for a great in depth walkthrough.
You might find your router supports/includes a VPN server. (mine does)
I have an asus router that supports openvpn. Asus also provides a ddns service, so they make it pretty simple to setup secure access from outside your home.
I even wrote a guide to setup the asus and an iphone or android. You also need to run something like openvpn connect on your phone to establish the vpn link.
I don’t open ports, i use openvpn.
Back on topic…
It sounds like your boolean flapped through the night, causing your garage door to open. This is BAD and a massive failure of the goals of Home Automation. Your personal safety was compromised while the garage door was open.
Some things I might try:
- Move the automation into HomeAssistant, and protect against “flapping” booleans. You could do this by having a second boolean that will trigger to “away” only if the original boolean is “away” for 5 minutes or more.
- Set up multiple methods of presence detection to protect against false aways.
- Set up an automation to know if you are asleep or not.
- Set up an automation that only lets someone become “away” if the front door has been opened or if there has been motion detected at the front door in the last 10 minutes.
Lastly, if I couldn’t get it to be 100% reliable, I would remove the garage door automations and not put my family/home at risk.
Just out of interest if you don’t use duck dns then how are you accessing your system remotely? (assuming you don’t have a static ip). Have you set up any port forwarding? if so for what features? Most issues have seemed to be around samba being incorrectly set up.
As others have mentioned it sounds more likely the issue is with automation but I would check samba if you have it set up
As others have said, that automation sounds really risky. A single sensor that is able to open your house up based on basic presence detection is really bad design (imo).
Presence detection is always flaky. No matter how you do it, there are always false positives and negatives. Some methods are better than others, but no single method is perfect. So there is a good chance this was just an example of the presence detection failing. If you want something critical (like home security) connected to presence then you really need multiple, redundant checks with some logic cross checking these methods.
If you are looking to make a secure installation (I honestly don’t think this is your issue, the problem lies with the system you designed) then here is some items from a previous post about this:
Yes a static ip is being used. That is why I would like to secure my network better.
This sounds like a great start, my only issue is figuring out how to set all this up. I try my best to absorb all the yaml codes but I always have trouble actually getting these things implemented. I read a lot of post and check the component pages for examples but seriously struggle most of the time. I work a lot, I’m in pest control so I can’t always find the time to actually focus on the learning side of this. I love these suggestions and I will for sure implement them.
This is also a great idea, thanks for sharing this with me!
I hope you realize that DuckDNS is only ONE of the MANY dynamic DNS providers out there. I have literally never used DuckDNS but have had dynamic DNS hostnames for my network since around 2004/2005.
I currently have domain names through namecheap and google domains, and use google domains’ dynamic dns options on my router to update my IP for a few of my domains.
Remember the IP/Dynamic DNS is nothing to do with security. These are just means for you (and others) to link to your network.
The security of the network is down to the settings of your machines. That starts at the ports you open to the internet and goes through all the way each machine can be accessed and modified, the user rights on each machine, how the traffic moves around the network (encrypted?) etc etc. Then that is all potentially compromised by one piece of software having a security flaw.
Just want to point out that this is not entirely true. In most cases it is. But when using multiple virtual hosts, the correct hostname has to be provided to get to the desired destination. So someone who does bulk scans of IPs may see there is something listening, but without the correct host header in the request it gets trickier. When SSL is in place a look at the certificate may reveal the needed hostname. But when using a wildcard certificate the hostname stays unknown. In my case for example my public hass is available at an address like fw34rf8w3eurh3r3289.mydomain.com
. So to get that hostname an attacker would need to enumerate my DNS to find the correct hostname. And since the default vhost already yields a result I believe an attacker would not necessarily try to see of other hostnames could work as well. Unless its a targeted attack of course.
Needless to say I also use a strong API password in HASS and Fail2ban + modSecurity at the reverse proxy. Just wanted to point out, that the usage of a reverse proxy CAN improve security if properly set up.
Are you using IOS12 by any chance? I have seen some very odd behaviour with HA and IOS12 Homekit. Turning things off and on randomly. SO much so, I have reduced my use of Homekit substantially for now.
I did this with our lights, as some of my touch (esp8266 home made jobs) need debouncing or a low pass filter, and would just turn on in the middle of the night.
- alias: 'Turn LEDUpLighter on when someone comes in and it is dark'
initial_state: 'on'
trigger:
- platform: state
entity_id: input_boolean.frontroom_occupancy
from: 'off'
to: 'on'
condition:
condition: and
conditions:
- condition: state
entity_id: input_boolean.guest_mode
state: 'off'
- condition: numeric_state
entity_id: sensor.esp1_ldr
above: 150
- condition: numeric_state
entity_id: sensor.esp4_ldr
above: 100
- condition: time
after: '06:00:00'
before: '22:00:00'
- condition: state
entity_id: light.led_uplighter
state: 'off'
action:
- service: scene.turn_on
entity_id: scene.ComingHome
I am also using strong passwords and nginx with modsecurity in front of HA. Configuring a WAF (Nginx) can be difficult though.
I would also recommend you to only allow traffic from your own country. I live in Denmark and it does not make sense to expose HA to Russian IP addresses for example.
You can download lists various places - here’s one: https://www.ip2location.com/blockvisitorsbycountry.aspx.
Rather than try to ban the world, try only allowing traffic from IP addresses you know. I was able to monitor the IPs my phone uses regularly and lookup the subnets my provider uses and allow those subnets through on my open port. This is of course is dependent on the capabilities of the router and/or services you are using.
One additional benefit of this is that scanners and the like don’t even see an open port, the scan returns like a closed port. I’ve tested this with a few different services and only scans from my trusted IPs see the open port.
Yes exactly what I just suggested when I said “only allowing traffic from your own country”. I have 4 users on HA and they span across two different tele-providers, so I gave up on maintaining IP’s for them and in stead allowed Denmark.
You’re right about the scanners, but you can feed your firewall with the IP’s as well. It doesn’t have to be your webserver.
There’s a lot of good information here about both security and reliability of the various components in question. However one thing that I’m surprised I haven’t seen… what do the HASS logs say about this?
Don’t get me wrong, security is extremely important and something good to work on in general, regardless of whether this particular event was caused by an attacker or just a malfunction in HASS or presence detection. But it seems like figuring out which would be a good thing.
I’m not sure if this would be different with the iOS presence detection components, but for me using Android and GPSLogger, my HASS logs contain the complete details of every update in lines like:
hass[518]: 2018-08-16 05:56:14 INFO (MainThread) [homeassistant.core] Bus:Handling <Event state_changed[L]: entity_id=device_tracker.02157df2c2d6e627, old_state=<state device_tracker.02157df2c2d6e627=home; latitude=33.xxxxxxxx, altitude=244.0, provider=gps, activity=, gps_accuracy=25, friendly_name=GalaxyS6, battery=97.0, speed=0.0, direction=0.0, source_type=gps, longitude=-84.xxxxxxxx @ 2018-08-15T19:20:15.039250-04:00>, new_state=<state device_tracker.02157df2c2d6e627=home; latitude=33.xxxxxxxx, altitude=0.0, provider=network, activity=, gps_accuracy=20, friendly_name=GalaxyS6, battery=96.0, speed=0.0, direction=0.0, source_type=gps, longitude=-84.xxxxxxxx @ 2018-08-15T19:20:15.039250-04:00>>
Assuming you still have the HASS logs from this timeperiod (and possibly any other system or network logs), if you’re worried that someone compromised the security of your network and intentionally did this, I’d conduct a thorough analysis of the logs to try and determine if that’s actually what happened or not.
On another note, if you do think someone has remote access to your network, I’d immediately either disable anything that controls physical access (like the garage door) or at least have HASS notify you via SMS/email/push/etc. when it’s opened.
I did check the logs and I didn’t see anything other then my presence Boolean switch from not_home to home a few times during the evening. Since then I did disable the automation during certain hours and changed my HA password. It hasn’t happened again since then.
I’m not convinced it was anybody that had unauthorized access to my HA but it was strange for sure.
I am going to read through this page better this weekend and implement some of the suggestions made.
I really do appreciate each and everyone of you for taking your time and explaining how you secure your network. It means so much that you all care! I love Home Assistant and I will always try to help others when I can because this is acexample of why this platform is the best out there. I have never been to a help forum that had so many good people in one place.
Bless you all my friends! And Thanks again!